WASHINGTON (3/11/10)--Credit unions seeking ways to serve members with small businesses need to be alert to cyberattacks against the online banking accounts belonging to small and mid-size businesses and make sure their authentication processes can handle the attacks. During fourth quarter 2009 alone, cyberthieves stole more than $150 million from small and midsize business accounts, says the Federal Deposit Insurance Corp. (FDIC). The scope of the thefts has raised questions about authentication and fraud-detection measures used by financial institutions. Several banks are fighting lawsuits from business customers seeking to recoup some of their losses, according to Computerworld (March 10). Almost all the incidents reported to FDIC involved malicious software (malware) on online banking customers' personal computers (PCs) that trick a victim into visiting a malicious website or downloading a Trojan horse program that provides access to the business' banking passwords, according to David Nelson, FDIC examination specialist who spoke at an RSA conference in San Francisco last week (IDG News Service March 8). Banks require their business customers to use several forms of authentication, but online banking customers may rely too much on authentication and layers of controls-- because hackers are still stealing, said Nelson. Hackers are targeting higher-balance accounts and looking for small businesses where controls might be lax, said Nelson. This is problematic not only for the business facing losses but for the financial institution serving that business. Businesses do not have the deposit reimbursement protections that consumer deposits do if funds are stolen from their accounts. Instead, they eat the losses from fraud in wire transfers and in the automated clearinghouse system--and some file lawsuits against their banks. Typically the suits claim the banks failed to detect and stop transactions that were patently fraudulent. Hillary Machinery Inc. sued its bank, Plains Capital, after cybercrooks stole more than $800,000 from the company's account last year. Hillary charges the banks did not stop the wire transfers, which involved foreign bank accounts and dollar amounts that were not typical for the company. The suit alleges that Hillary had a reasonable expectation that the bank would protect the company's account. It also argues that a small business should not be expected to have significant expertise on data security issues. In another case, after it lost $560,000 from its account to cyberthieves, Experi-Metal Inc., a Michigan-based firm, sued Comerica Bank, alleging the bank did not heed the red flags that signaled fraud was occurring. Several years ago the Federal Financial Institutions Examination Council issued guidelines suggesting financial institutions upgrade their single-factor authentication processes based on usernames and passwords by adding a stronger, second level of authentication. However, many banks are not using these solutions. The growing and more sophisticated hacking attacks are testing the token-based authentication measures than many banks have used for years, Paul Smocer, vice president of security at BITS, told Computerworld (March 10). BITS is an industry consortium representing the 100 largest financial institutions. It is advising its members to work with law enforcement to determine patterns used by the money mules working the accounts for the cyber criminals. Other organizations advise financial institutions to review their internal security controls and implement multiple security layers to help them detect fraud on their members' accounts.